Posts by Josh:
Is obsolete the new secure?
I recently read an article in Defense Systems Magazine that toyed with the idea of using what most would consider obsolete technology as a “security” measure. In this case they were specifically talking about the use of 8-inch (yes, you read that right) floppy disks that hold about 1 to 1.2 megabytes of data.
They make a convincing case for it as well. How many hackers not only can write a malicious program à la Stuxnet with such a limited amount of storage let alone even have equipment to write it to a disk?
Along this same vein, there are advocates of using old “retired” Operating Systems as a means of security. Really think about this point, how many hackers are going to develop and use exploits for Windows NT 4.0 or Windows 95? What about long ago unsupported Solaris OS’s? The cost to benefit ratio or, in business terms, return on investment (ROI) is almost nil since so few viable target systems.
Now, looking at things from a realistic perspective, companies by and large are not going to rely on aging, and unsupported technologies for normal day-to-day business. Given that reality, continual updates to the latest and greatest version of whatever platform they are using.
Yet hiding in that dark corner somewhere they might just have that old system running some specialized system that they just “forgot” or simply are “afraid” to touch. This is often true in the Industry Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. These are those systems that run everything from the robot that built your car, the computer that controls a Computer Numerical Control (CNC) machine that makes parts or even the units that control the water and electrical systems for your utility companies. Companies really tend to hate updating these systems, regardless of how old they are because not only the cost involved but they tend to control critical pieces of the companies process or infrastructure.
There are really several big drawback of using obsolescence as a means of security. The first is that if there is a known vulnerability, there is no way to actually fix it. It is out there and can be exploited at any time. The second is attrition of technical experts with skills in that outdated software. Right now, you can find plenty of IT folks with current skill-sets on Windows XP if you’re still using it after the XPocalypse a few months ago. Taking that a few years back in time, try finding someone who is still in the industry with a still current working knowledge of Windows NT 3.51 that was release nearly 20 years ago and stopped being supported more than a decade ago. The final issue is an issue of physical products. We are talking the hardware bits that these obsolete systems run on. Finding compatible systems for these old programs to run on becomes hard and more expensive as time go one. This also includes the physical media for repair and reinstall if it’s required. How well does that 8-inch floppy going to hold up over time?
While obsolete, might very well work as method to secure systems, in the long run, the deck is stacked against it as a viable long-term solution to an ever persistent problem.
The Death of Windows XP… XPocalypse
On the 8th of April 2014, Microsoft effectively “pulled the plug” on its decade plus old operating system Windows XP. What this translates to for end users is fairly simple. Their Windows XP computer won’t stop running, but any future security issues that are identified with the Operating System will not be fix via a […]
Continuing Education and the IT Workforce
Recently at my place of employment there has been much to do about “Continuing Education” with regards to professional IT workers and specifically when it comes to certifications. Many of the grumblings I often hear are thing of the nature: – I don’t know why I need do this; I know how to do […]
The first DEFCON 318 group meeting will be December 12th at 6:00PM @ Noble Savage in downtown Shreveport. Come check it out.
Online Privacy: Is it real?
Online Privacy, to a large degree is a myth that we tell ourselves exists to ease our minds about the various things we do and place in to the ether of the beast called the Internet. The largest problem with the Internet and the concept of privacy is how the Internet works. As an […]
Startup Weekend Shreveport-Bossier
Have you ever considered starting your own business but didn’t really know where to start? My friends over at the Shreveport-Bossier Cohab have the solution! this month (Oct 26-28, 2012) they are hosting a 54 hour “Startup Weekend” event! They will take you trough the process. From their page: “All Startup Weekend events follow […]